Hello Martin, Routers can check the source, and they can filter based on a simple set of rules that only allows IP's that should go through the fact that they allow different source addresses cause many headaches for admin... flip side being unidirectional satellite setups need to send an alternate source address to have the traffic come back via the satellite link...
-- Best regards, evilbunny mailto:[EMAIL PROTECTED] http://www.SydneyWireless.com - Exercise your communications freedom to make it do what you never thought possible... Friday, June 28, 2002, 4:23:09 PM, you wrote: VMS> Huhhhh? In fact most routers don't check the source, nor do they care, which is why certain DoS attacks that spoof source IP addresses work. IP routing today is nearly always based only on the VMS> destination address. In normal IP packet forwarding, the source and destination IP address of a packet doesn't change during router hops (MAC/physical does). Hence a router receeiving packets VMS> from another router will see all sorts of source IP addresses but it will not always have an iron-clad mechanism of determining they came from a legitimate source. The only way you can tell VMS> where the previous hop was is by the physical line and/or the source MAC address (which is usually the router's interface), but of course even this can be spoofed. VMS> However, you are correct about the default behaviour when a locally-generated packet leaves a interface in linux. (This doesn't apply to a routed/forwarded packet) VMS> I would probably use iptables to do what John wishes. VMS> Regards, Martin VMS> Martin Visser VMS> Network Consultant - Global Services VMS> COMPAQ, part of the new HP VMS> 3 Richardson Place VMS> North Ryde, Sydney NSW 2113, Australia VMS> Phone *: +61-2-9022-1670 Mobile *: +61-411-254-513 VMS> Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com VMS> -----Original Message----- VMS> From: Glen Turner [mailto:[EMAIL PROTECTED]] VMS> Sent: Friday, 28 June 2002 3:32 PM VMS> To: slug VMS> Subject: Re: [SLUG] Source IP address >> Is it possible to use iproute2 or something similar to use a particular >> source address when sending to a particular subnet? (2.4 kernel) VMS> The default behaviour is for a packet exiting ethN to have the source VMS> IP address of ethN. VMS> The router on ethN is perfectly entitled to discard packets coming VMS> off that subnet which have the wrong source address (and the router VMS> should be configured to do so).
smime.p7s
Description: S/MIME Cryptographic Signature
